The Internet is a colossal computing network open to hundreds of millions of computers and users. The Internet's community of users is constantly engaged in research, innovation and dialog about computer security vulnerabilities.
A vulnerability is a weakness in a piece of software that can be exploited by (“malicious code”). Some users (“malefactors”) seek to use malicious code to exploit vulnerabilities. But the crafting of malicious code is not easy. Usually, only a very talented programmer is capable of writing malicious code that is effective at exploiting a given vulnerability, and usually that programmer must toil tediously for some time to create competent malicious code.
Often, when a talented programmer creates an example of malicious code, he or she posts it publicly on the Internet so that others including malefactors can inspect, test, critique and use it. Within the community of Internet users, the examples of malicious code effective at exploiting any specific vulnerability are usually few in number. A single example of malicious code is commonly borrowed and used by many different malefactors who incorporate it (e.g., “cut and paste” it) into a number of diverse packages, such as an image file or a web site designed to perform a “drive-by download”. They may also bundle it with a number of different payloads, such as a rootkit or a keystroke logger.
In theory, many vulnerabilities exist inside most complex software products such an operating system (e.g., Windows® published by Microsoft Corporation). A given vulnerability, however, is unknown until a researcher discovers it. Nevertheless, upon discovering a particular vulnerability, the natural inclination of a researcher is to share the discovery publicly, either by talking about it or by attempting to exploit it in a way that can be monitored publicly. Rarely is the discovery of a particular vulnerability kept a secret for long. News spreads and becomes available on Internet bulletin boards and chat rooms or from public monitoring of new exploits.
Typically, once the publisher of the affected software product learns of the vulnerability, they undertake to design, write, test and release a software “patch” to close off this known vulnerability. The patching process, however, is fraught with delay and hence a “risk window” arises.
For example, as a patch is released, the publisher makes it available to computer owners via Internet downloading or other distribution so that they may install it on their computers. For owners of computers running vulnerable software, the preparation, distribution, and installation of a patch can be a painfully slow and arduous process. For instance, time passes as the software publisher works on the patch. Then the installation of the patch may require manual action on the part of the owner, which can be a burden on an enterprise owning hundreds or thousands of computers. Further, owners such as enterprises often must test the patch before installing it on many of their computers and sometimes a patch will conflict with desired functions of other applications. Additional time may also pass if a publisher discovers after it releases a patch that it is faulty and must be recalled, revised, and reissued.
After a vulnerability becomes known in the community, well-crafted malicious code capable of infecting particular computers is developed and deployed before the software on them is patched. Malefactors seek to trespass through this risk window and some programmers endeavor to help them. Accordingly, once a vulnerability becomes known, talented programmers typically race to create and publish malicious code so as to maximize the time available within the risk window.
Until now, many types of security software such as antivirus software have attempted to stop a particular example of malicious code by looking for a sequence of bytes in the binary file (i.e., signature) that uniquely identifies the structure of the programming code in the example. Typically, such examination of files or other code occurs at the application layer in the Open Systems Interconnection (OSI) model. More specifically, the scanning of viruses is performed on the files after being stored in the file system or while held in memory on the computing system. Although these systems work well for most viruses, through the use of exploited vulnerabilities, malicious code can be entered into the targeted computer at deeper levels than the application layer. As such, the malefactors exploiting such software vulnerabilities can cause the malicious code to be executed before typical security software can detect it and take action.